Topics

1

22.7 Legacy Series / strange results with ipv6 not routed properly

« on: August 29, 2022, 04:17:25 pm »

I have a firewall with native ipv6 from my ISP. using dhcpv6 I get a /56

The clients gets addresses properly, but there is something weird with the routing If I ping googleI get
ping 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=60 time=2.80 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=60 time=2.87 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=60 time=3.01 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=60 time=3.13 ms

if I ping another ipv6 destination I get:

ping 2001:67c:d8:ed80::87
PING 2001:67c:d8:ed80::87(2001:67c:d8:ed80::87) 56 data bytes
^C
--- 2001:67c:d8:ed80::87 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 298ms

This is a legitimate ipv6 address

If I traceroute google I get:

traceroute6 2001:4860:4860::8888
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
 1  OPNsense.gflygt.se (2001:9b0:21d:XXXX:XXX:XXXX:fe51:6da9)  0.741 ms  0.494 ms  0.341 ms
 2  2a01:2b0:2000:152::2 (2a01:2b0:2000:152::2)  2.135 ms  2.157 ms  2.192 ms
 3  2a01:2b0:2000:152::5 (2a01:2b0:2000:152::5)  2.734 ms  2.591 ms  2.620 ms
 4  2001:4860:1:1::efc (2001:4860:1:1::efc)  2.963 ms  2.825 ms  2.791 ms
 5  2a00:1450:810a::1 (2a00:1450:810a::1)  3.888 ms 2a00:1450:80b2::1 (2a00:1450:80b2::1)  3.745 ms 2a00:1450:8112::1 (2a00:1450:8112::1)  2.604 ms
 6  dns.google (2001:4860:4860::8888)  2.680 ms 2001:4860:0:1::b7c (2001:4860:0:1::b7c)  3.972 ms  3.714 ms

If I traceroute the other address (mail-1.sr.se) I get:
traceroute6 2001:67c:d8:ed80::87
traceroute to 2001:67c:d8:ed80::87 (2001:67c:d8:ed80::87), 30 hops max, 80 byte packets
 1  OPNsense.gflygt.se (2001:9b0:21d:XXXX:XXX:XXXX:fe51:6da9)  0.695 ms  0.440 ms  0.542 ms
 2  OPNsense.gflygt.se (2001:9b0:21d:XXXX:XXX:XXXX:fe51:6da9)  0.401 ms !N  0.478 ms !N  0.349 ms !N

(I obfuscated my ipv6 address a little)
ie it stops at the LAN address on my firewall.

So traceroute to google works fine, but not the other ordinary host. I can reach both hosts on my other firewall where I have tunneled ipv6!

It was fully working a while ago. I don't remember from which version of OPNsense it stopped working

Gunnar

2

22.7 Legacy Series / Clients get ipv6 addresses but don't reach Internet

« on: August 10, 2022, 06:26:38 pm »

I just upgraded to 22.7.1 on my firewall with native ipv6 enabled. And the clients on the Lan doesn't get ipv6 addresses.

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.61  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::144c:494d:4836:2c33  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:37:6f:4c  txqueuelen 1000  (Ethernet)
        RX packets 3466  bytes 729753 (712.6 KiB)
        RX errors 1  dropped 1  overruns 0  frame 0
        TX packets 3075  bytes 1900898 (1.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Nothing changed in the config.

It looks fine in the Dashboard. LAN gets the address it should.
 
UPDATE: I get address (it took some time but it appeared) for my tested client, but I can't ping hosts on the Internet.

I can ping the LAN interface on the router, but not further. And a traceroute6 to an external host gives only the LAN interface.

3

22.1 Legacy Series / latest update not working properly

« on: June 12, 2022, 08:51:10 am »

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.8 (amd64/OpenSSL) at Sun Jun 12 08:49:19 CEST 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): . done
Processing candidates (1 candidates): . done
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   opnsense: 22.1.8 -> 22.1.8_1

Number of packages to be upgraded: 1

4 MiB to be downloaded.
[1/1] Fetching opnsense-22.1.8_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading opnsense from 22.1.8 to 22.1.8_1...
[1/1] Extracting opnsense-22.1.8_1: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh'
Writing firmware setting...done.
Writing trust files...done.
Configuring login behaviour...done.
Configuring system logging...done.
=====
Message from opnsense-22.1.8_1:

--
Owl be watching you
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.

>>> Also make sure to check 'pkg updating' for known issues.
The following package files will be deleted:
   /var/cache/pkg/opnsense-22.1.8_1~cb594b0a31.pkg
   /var/cache/pkg/opnsense-22.1.8_1.pkg
The cleanup will free 4 MiB
Deleting files: .. done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

4

22.1 Legacy Series / Running native ipv6 but I get no ipv6 default route

« on: April 13, 2022, 04:52:20 pm »

My ISP provides me with a /56 range of ipv6. My clients gets ipv6 addresses, but dhcpv6 doesn't provide a default route. It did work a while ago. I haven´t changed my config, so what can be wrong.

5

22.1 Legacy Series / Is there any way I could script an ip adress change for a remote system?(SOLVED)

« on: April 09, 2022, 08:01:01 am »

I have a problem with my ISP. I can't get a permanent ipv4 address for my main firewall access point. This means that if I reboot after an upgrade, I may sit there with a new public ip address, which means that my both sites won't be able to set up the VPN I have between the sites.

My thought then would be a cron script (on the remote firewall) checking (once a day) the public ip address on the main site (yes it's reachable via DNS), retrieve the new address and then change the ip-address in the client VPN setup, and reload the VPN system (OpenVPN used)

Is this possible (yes of course  but how?)

6

22.1 Legacy Series / native ipv6 stopped working since upgrade to 22.x

« on: February 21, 2022, 07:10:42 am »

The Subject says it all. I've had native ipv6 running for 2 years now. From upgrade to ver 22 DHCPv6 Server does not start. My configuration is untouched.

7

21.7 Legacy Series / OpenVPN stopped working after latest upgrade (SOLVED)

« on: September 13, 2021, 12:54:27 pm »

All in the Subject. Upgraded from 21.7.1 to 21.7.2 And Open VPN starts the service in both ends, and says the service is running, but no traffic can be established between the end points.

Nothing else has been changed, just the upgrade. I also made the latest upgrade to 21.7.2_1 on both nodes. Result the same

8

21.7 Legacy Series / loosing default ipv6 route after update to 21.7

« on: September 12, 2021, 11:10:42 am »

All of a sudden the default route is lost after a while, since the upgrade to 21.7.

If I set the route manually it is there a few days, then suddenly lost again. I have ipv6 tunnel
 via Hurricane Electric.

9

21.1 Legacy Series / Latest upgrade in 21.1 branch OpenVPN stopped working, or?

« on: February 17, 2021, 12:07:00 pm »

I just upgraded to the latest distro in the 21.1 branch, and OpenVPN doesn't start! This is truly weird. I have OpnSense on my two sites. After upgrade the OpenVPN indicator in the dashboard says that it is not working. And on the OpenVPN status page it says Service not running?

BUT! I can reach my other site via VPN!!?? Weird

from the upgraded server:
root@OPNsense:~ # ps ax | grep openvpn
92767  -  Ss    0:00.53 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf

So the service is running, but it doesn't indicate so in the GUI.

10

20.1 Legacy Series / [Solved] Strange NTP time sync problem

« on: May 12, 2020, 01:09:29 pm »

I have two firewalls running OPNsense. On both of them I have set up ntp time syncronization. On box number 1 I get, if turning off ntp service)
root@OPNsense:~ # ntpdate 193.182.111.12
12 May 12:59:40 ntpdate[13215]: no server suitable for synchronization found

and on this box the service does not work!!! And when staring NTP service I get "No active peers available"

On the other:
root@OPNsense:~ # ntpdate 193.182.111.12
12 May 13:08:27 ntpdate[97654]: adjust time server 193.182.111.12 offset +0.002239 sec

Works as expected.

No strange own rules on neither box!

Gunnar

11

20.1 Legacy Series / [SOLVED] Not being able to get dhcpv6 to get answer from my ISP

« on: April 29, 2020, 12:12:43 pm »

I’ve configured my wan for getting a ::/56 from my ISP. For some reason it doesn’t work. They say they are full compliant to answering dhcpv6

A small tcpdump from my opnsense:
oot@OPNsense:~ # tcpdump -i igb0 -n -vv '(udp port 546 or 547) or icmp6'
tcpdump: listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:30:17.484214 IP6 (hlim 1, next-header UDP (17) payload length: 89) fe80::20d:b9ff:fe51:6da8.546 > ff02::1:2.547: [bad udp cksum 0x25f8 -> 0x2737!] dhcp6 solicit (xid=124cce (client-ID hwaddr/time type 1 time 640886699 a0cec8ce700d) (elapsed-time 65535) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/56 pltime:4294967295 vltime:4294967295)))
17:32:19.326508 IP6 (hlim 1, next-header UDP (17) payload length: 89) fe80::20d:b9ff:fe51:6da8.546 > ff02::1:2.547: [bad udp cksum 0x25f8 -> 0x2737!] dhcp6 solicit (xid=124cce (client-ID hwaddr/time type 1 time 640886699 a0cec8ce700d) (elapsed-time 65535) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/56 pltime:4294967295 vltime:4294967295)))

I’ve checked the implicit rules generated When activating ipv6 on the WAN, and it looks ok, as far as I understand. But I still don’t get ipv6.

From my wan configuration

ipv6 Configuration type: DHCPv6
Request only an ipv6 prefix: Yes
Prefix delegation size: 56
Send ipv6 prefix hint: Yes
Prevent release: Yes

Gunnar

12

19.7 Legacy Series / [SOLVED] Upgrade from 19.1 fails

« on: October 01, 2019, 02:57:27 pm »

I've tried several times now, to upgrade my 19.1 to 19.7 I unlock the upgrade and push the Upgrade now button. It then starts to download, reboot, and when I log in again I'm still on 19.1

I've also tried upgrading from the console and choose 19.7 when appropriate. Same result, after reboot still running 19.1

When  looking in updates it looks like this:

Package Name   Current Version   New Version   Required Action
base                   19.7.3          19.1.8          upgrade

Which is plain nonsense.

In the Dashboard it says:

Versions   OPNsense 19.1.10_1-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

13

19.7 Legacy Series / Solved - Routing the wifi network to internet

« on: July 22, 2019, 09:05:43 am »

An absolute beginner on OpnSense. I have my Lan network on 192.168.1.0/24 and a WiFi network on 192.168.2.0/24 Where do I route the WiFi network to be able to access the WAN?

14

19.1 Legacy Series / OpnSense doesn't set default gw when rebooting

« on: June 11, 2019, 02:15:18 pm »

Everything is in the subject. I have to set default gateway if the firewall machine reboots! How can I fix this very annoying problem?

15

19.1 Legacy Series / Shit hit the fan. fw not setting default gw

« on: June 03, 2019, 01:28:46 pm »

I experimented with changing from DHCP to a static address (yes I have one from my provider) on the WAN interface, and now when I returned to the original DHCP assigned address I get no default GW set! I rebooted the firewall, and when looking on the console with netstat -rn -finet, I have no default GW set.

The default gw i set up when trying static IP, is still shown on the dashboard. I can't delete it